fix: GetCSRFToken() shouldn't fall back to the cookie

internal/middleware/csrf.go

@@ -37,21 +37,13 @@ func SetCSRFToken(w http.ResponseWriter, r *http.Request, token string) {
 }
 
 func GetCSRFToken(r *http.Request) string {
-	if token := strings.TrimSpace(r.FormValue(CSRFTokenFormName)); token != "" {
+	token := strings.TrimSpace(r.FormValue(CSRFTokenFormName))
+	if token == "" {
+		token = strings.TrimSpace(r.Header.Get(CSRFTokenHeaderName))
+	}
 	return token
 }
 
-	if token := strings.TrimSpace(r.Header.Get(CSRFTokenHeaderName)); token != "" {
-		return token
-	}
-
-	if cookie, err := r.Cookie(CSRFTokenCookieName); err == nil {
-		return strings.TrimSpace(cookie.Value)
-	}
-
-	return ""
-}
-
 func ValidateCSRFToken(r *http.Request) bool {
 	formToken := GetCSRFToken(r)
 	if formToken == "" {